Legal claims defining the scope of protection, as filed with the USPTO.
1. A method for executing an application in a Near Field Communication (NFC) device, the method comprising: establishing a contactless link between a first NFC device and a second NFC device; transmitting, by the first NFC device through the contactless link, an identifier of the first NFC device to the second NFC device; transmitting, by the second NFC device through the contactless link, an application identifier to the first NFC device; transmitting by the second NFC device to an application server, the identifier of the first NFC device and the application identifier; transmitting, by the application server to an authentication server, the identifier of the first NFC device and the application identifier; verifying, by the authentication server, whether the identifier of the first NFC device is stored in association with the application identifier; and in the event the identifier of the first NFC device is stored in association with the application identifier, authorizing, by the authentication server, a transaction during the execution of the application, the authorizing including transmitting, to the application server, an identifier of a user of the first NFC device that corresponds with the identifier of the first NFC device.
2. The method of claim 1 , wherein the authentication server periodically modifies the identifier of the first NFC device and updates a corresponding link between the identifier of the user and the identifier of the first NFC device.
3. The method of claim 1 , wherein: the identifier of the first NFC device includes an identifier of a secure processor of the first NFC device; the secure processor transmits, through the contactless link, first authentication data allowing the secure processor of the first NFC device to be authenticated; the second NFC device transmits, to the application server, the first authentication data; the application server transmits, to the authentication server, the first authentication data and second authentication data allowing the application corresponding to the application identifier to be authenticated; and the authentication server verifies the authentication data, the first NFC device and the second NFC device being authorized to execute the application only if the secure processor and the application are authenticated.
4. The method of claim 3 , wherein: the first NFC device transmits, to the authentication server, an application installation request including an application identifier of an application to be installed, and the first authentication data allowing the secure processor of the first NFC device to be authenticated; the authentication server verifies the first authentication data and, if the secure processor is authenticated, transmits, to the first NFC device, an address for downloading the application to be installed; and the first NFC device downloads the application to be installed from the received download address and installs the downloaded application.
5. The method of claim 4 , wherein: after installation of the downloaded application, the first NFC device informs the authentication server of the application installation by supplying, to the authentication server, the identifier of the installed application and the first authentication data; and the authentication server verifies the first authentication data and, if the secure processor is authenticated, the authentication server stores the application identifier in association with the secure processor identifier of the first NFC device.
6. The method of claim 5 , wherein the authentication server does not transmit, to the first NFC device, the address for downloading the application if the application identifier is already stored in the authentication server in association with the identifier of the secure processor of the first NFC device.
7. The method of claim 5 , wherein the authentication server does not authorize the execution of the application by the first NFC device and the second NFC device if the application identifier is not stored in the authentication server in association with the identifier of the secure processor of the first NFC device.
8. The method of claim 3 , wherein the first authentication data includes the secure processor identifier and a first cryptogram, the first cryptogram being calculated by the secure processor by applying, to the secure processor identifier, an encryption calculation using a secret key included in the secure processor.
9. The method of claim 8 , wherein the second authentication data includes the secure processor identifier, the application identifier and a second cryptogram, the second cryptogram being calculated by the application server by applying an encryption calculation to the application identifier using a secret key specific to the application.
10. The method of claim 9 , wherein the second cryptogram is calculated by applying the encryption calculation to the application identifier and to the first cryptogram.
11. The method of claim 9 , wherein at least one of the first cryptogram and the second cryptogram is calculated using one of a symmetric encryption algorithm using the secret key, an asymmetric encryption algorithm using a private key, and a hashing function applied to the data to be ciphered and the secret key.
12. The method of claim 9 , wherein verifying each of the first cryptogram and the second cryptogram is performed by recalculating the respective cryptogram from same respective data and by using an encryption key accessible to the authentication server.
13. A system for executing a secure application in a Near Field Communication (NFC) device, the system comprising: a first NFC device including: an NFC component configured to establish contactless communication with another NFC device; and a secure processor coupled with the NFC component; a second NFC device coupled with an application server and configured to execute an application with the first NFC device; and an authentication server accessible to the application server and to the first NFC device, the system being configured to: establish a contactless communication link between the first NFC device and the second NFC device; transmit, from the first NFC device through the contactless link, an identifier of the first NFC device to the second NFC device; transmit, from the second NFC device through the contactless communication link, an application identifier to the first NFC device; transmit, from the second NFC device to the application server, the identifier of the first NFC device and the application identifier; and transmit, from the application server to the authentication server, the identifier of the first NFC device and the application identifier, the authentication server being configured to: verify whether the identifier of the first NFC device is stored in association with the application identifier; and if the identifier of the first NFC device is stored in association with the application identifier, authorize a transaction during the execution of the application by transmitting, to the application server, an identifier of a user of the first NFC device, the identifier of the user corresponding to the identifier of the first NFC device.
14. The system of claim 13 , wherein the authentication server is configured to periodically modify the identifier of the first NFC device and update a corresponding link between the identifier of the user of the first NFC device and the identifier of the first NFC device.
15. The system of claim 13 , wherein: the identifier of the first NFC device includes an identifier of a secure processor of the first NFC device; the secure processor is configured to transmit, through the contactless communication link, first authentication data for authenticating the secure processor of the first NFC device; the second NFC device is configured to transmit, to the application server, the first authentication data; the application server is configured to transmit, to the authentication server, the first authentication data and second authentication data for authenticating the application corresponding to the application identifier; and the authentication server is configured to verify the authentication data, and to authorize the first NFC device and the second NFC device to execute the application only if the secure processor and the application are authenticated.
16. The system of claim 15 , wherein: the first NFC device is configured to transmit to the authentication server an application installation request including an application identifier of an application to be installed, and the first authentication data for authenticating the secure processor of the first NFC device; the authentication server is configured to verify the first authentication data and, if the secure processor is authenticated, to transmit, to the first NFC device, an address for downloading the application; and the first NFC device is configured to: download the application to be installed from the received download address; and install the downloaded application.
17. The system of claim 16 , wherein, the first NFC device is configured to, after installation of the downloaded application, inform the authentication server of the application installation by supplying, to the authentication server, the identifier of the installed application and the first authentication data; and the authentication server is configured to verify the first authentication data and, if the secure processor is authenticated, to store the application identifier in association with the secure processor identifier of the first NFC device.
18. The system of claim 17 , wherein the authentication server is configured to not transmit, to the first NFC device, the address for downloading the application if the application identifier is already stored in the authentication server in association with the identifier of the secure processor of the first NFC device.
19. The system of claim 17 , wherein the authentication server is configured to not authorize the execution of the application by the first NFC device and the second NFC device if the application identifier is not stored in the authentication server in association with the identifier of the secure processor of the first NFC device.
20. The system of claim 15 , wherein the first authentication data includes the secure processor identifier and a first cryptogram, the first cryptogram being calculated by the secure processor by applying, to the secure processor identifier, an encryption calculation using a secret key included in the secure processor.
21. The system of claim 20 , wherein the second authentication data includes the secure processor identifier, the application identifier and a second cryptogram, the second cryptogram being calculated by the application server by applying an encryption calculation to the application identifier using a secret key specific to the application.
22. The system of claim 21 , wherein the second cryptogram is calculated by applying the encryption calculation to the application identifier and to the first cryptogram.
23. The system of claim 21 , wherein at least one of the first cryptogram and the second cryptogram is calculated using one of a symmetric encryption algorithm using the secret key, an asymmetric encryption algorithm using a private key, and a hashing function applied to the data to be ciphered and the secret key.
24. The system of claim 20 , wherein verifying each of the first cryptogram and the second cryptogram is performed by recalculating the respective cryptogram from same respective data and by using an encryption key accessible to the authentication server.
25. An apparatus comprising: a Near Field Communication (NFC) component configured to establish a contactless communication with an NFC device; and a secure processor coupled with the NFC component, wherein the secure processor includes a software component associated with an identifier of the software component that is distinct from an identifier of a user of the secure processor, the software component being configured to: establish a contactless communication link with an NFC device through the NFC component; transmit the identifier of the software component through the contactless link; receive, through the contactless link, an application identifier; compute authentication data using the identifier of the software component; and transmit, through the contactless link, the authentication data, the secure processor being authorized to execute an application corresponding to the application identifier only if the identifier of the software component is linked to the application identifier in an authentication server.
26. The apparatus of claim 25 , wherein the software component is configured to cause the secure processor to verify whether or not the received application identifier is included in a list of applications included in the secure processor.
27. The apparatus of claim 25 , wherein the authentication data includes the software component identifier and a first cryptogram that is calculated by the secure processor by applying, to the software component identifier, an encryption calculation using a secret key included in the secure processor.
28. The apparatus of claim 27 , wherein the first cryptogram is calculated by the secure processor using at least one of a symmetric encryption algorithm applied to the secret key, an asymmetric encryption algorithm using a private key, and a hash function applied to the data to be ciphered and to the secret key.
29. The apparatus of claim 25 , wherein the secure processor is configured to: store the software component identifier as a current software component identifier; receive the software component identifier and a new identifier; and when the received software component identifier corresponds to the stored current software component identifier: store the new identifier as the current software component identifier; and transmit a notification indicating that the received new identifier is stored as the current software component identifier.
Unknown
August 30, 2016
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.